How to set up Samba as a Primary Domain Controller

Last updated on August 23, 2020 by Dan Nanni

A domain controller is a server which groups multiple computers to centralize their authentication system. When you are using a domain controller, you don't login to your computer, but instead login to the domain controller. Every authentication request is handled by the Primary Domain Controller (PDC).

Usually you hear about PDC using a Windows based server. In this tutorial, I'll describe how to set up a PDC using Samba, which is based on Linux.

There are four main steps for setting up Samba as a PDC:

1. Samba Installation

If you are using a Debian based Linux, run the following command on the terminal window to install Samba:

$ sudo apt-get install samba
$ sudo apt-get install samba-common
$ sudo apt-get install samba-common-bin

If you are using a Red Hat based Linux, you may use rpm or yum package manager to install Samba.

2. Samba Configuration

The main configuration of Samba server is found in /etc/samba/smb.conf. For a PDC server, there are three part of the file which you need to configure: global, netlogon, and homes.

Before you start modifying the configuration file, I suggest you back up the existing Samba configuration file.

$ sudo cp /etc/samba/smb.conf  /etc/samba/smb.conf.old

Configuring [global] parameters

[global]
workgroup = sambadomain 
netbios name = sambapdc 
server string = Samba PDC 
domain master = yes 
preferred master = yes 
domain logons = yes 
add machine script = /usr/sbin/useradd -N -g machines -c Machine -d /var/lib/samba -s /bin/false %u 
security = user 
encrypt passwords = yes 
wins support = yes 
name resolve order = wins lmhosts hosts bcast 

logon path = %N%Uprofile
logon drive = H: 
logon home = %N%U

Change the names of the workgroup and the PDC according to your environment, so that they correspond to the actual values in your network. If you have another Wins server on your network, remove "wins support = yes", because having more than one causes a problem. "wins support = yes" means Samba acting as a Netbios server.

Creating lmhosts file

Don't forget to register your domain IP address to the lmhosts file. The lmhosts file is a mapper between the IP address of the domain controller and Netbios name. When you add a Windows computer to the SAMBADOMAIN, Windows tries to find the PDC's IP address. If Windows fails to find the PDC's IP address, then you won't be able to register a computer with the PDC.

The lmhosts file should be created and placed in /etc/samba/lmhosts. The content of lmhosts file is similar to /etc/resolv.conf file, except that you need to register the Netbios name instead of the host name. For example, if your PDC has an IP address 10.10.101.1 with sambadomain as workgroup name, and sambapdc as the Netbios name, the content of the lmhosts file should look like the following:

10.10.101.1 sambadomain
10.10.101.1 sambapdc

After creating /etc/samba/lmhosts, re-run the nmbd daemon as follows:

$ sudo nmbd -H /etc/samba/lmhosts -D

Configuring [netlogon] parameters

[netlogon]
path = /var/lib/samba/netlogon 
browseable = no 
read only = no 
create mask = 0700 
directory mask = 0700 
valid users = %S 

/var/lib/samba/netlogon is a startup directory for PDC logon. When users login to the Samba PDC, a script called netlogon.bat in the directory will be executed.

$ sudo mkdir -m 0755 /var/lib/samba/netlogon

For example, if you want to automatically mount a network drive from the PDC, Create the following netlogon.bat script in /var/lib/samba/netlogon.

## Samba Logon Script
net use x: sambapdcshare

Configuring [homes] parameters

This is a configuration file for PDC user's home directory.

[homes]
 valid users = %S 
   guest ok = yes 
     read only = yes 

Testing the configuration file

After saving all configuration files, test your configuration with the following command:

$ sudo testparm

If there is any syntax error detected, fix it and restart Samba.

3. Adding Domain Users

Adding admin user and group for the PDC

In Linux, admin user is the root user. So you need to run the following command to add the root user as the Samba admin:

$ sudo smbpasswd root

You should not use the same password as the Linux root user.

Create a machines group

The next step is to create a group called machines.

$ sudo groupadd -g machines

Samba will automatically add users to this group, as long as you configure "add machine script" correctly in [global] section in /etc/samba/smb.conf.

Create a Linux Account for PDC login

You need to create a user on PDC for domain login. In this example, I will create an account that disables Linux login. So every access to the PDC must be done via Samba.

For example, creating user dan:

$ sudo smbpasswd -a dan

Enter the same password twice.

You need to activate the user with the following command:

$ sudo smbpasswd -e dan

Grant user dan to login to the PDC:

$ sudo net rpc rights grant "SAMBADOMAINdan" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
$ sudo net groupmap add ntgroup="Administrator" unixgroup=root rid=512 type=d

4. Register Windows Computers with the Samba PDC

Under Windows computer properties, change the domain name to sambadomain. Reboot your Windows PC, and try to login with SAMBADOMAIN/dan. If you successfully login, then your Samba PDC is ready.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean